banging my head against the wall trying to get a Fortinet 60E to get a tunnel up with my cluster of Checkpoint 23500s. The 60E's are in a home user environment (currently my test DSL) , and the outside interface is DHCP'ing a 192.168 address. Outbound traffic is doing NAT through to the Internet and to my head end checkpoints. I ran through a bunch of the VPN wizards (sadly there isnt one for checkpoint). Eventually I was able to get P1 to come up by configuring certificates for auth in both directions. P2 will not pop though and Im at a loss as to why.
Below is my P2 config:
AES / SHA 1
PFS DH Group 2
Key Lifetime 3600 seconds
The wizard created a Tunnel Interface and some policies
From TO SRC DST
FN_Internal Zone Tunnel Int Fort_Internal_Subnet All
Tunnel Int FN_Internal Zone All Fortinet_Internal_Subnet
There is also a static route: traffic destined for 0.0.0.0/0 send into the Tunnel Interface
Can anyone help me identify whats going on ? Im at a loss. I know this can and does work for some. Seems like P1 just times out waiting for P2 ? There is plenty of traffic trying to head in both directions. Any help is appreciated. Thx.
Below are the debug logs from the Fortinet Side ( heavily redacted ) :
ike 0:TO_UCH:29::62: cfg-mode negotiation failed due to retry timeout ike 0:TO_UCH:29: send IKE SA delete 1df1f592a813719c/ecaa2bedcc912d0c ike 0:TO_UCH:29: enc *string-removed-for-security-reasons* ike 0:TO_UCH:29: out *string-removed-for-security-reasons* ike 0:TO_UCH:29: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 192.168.1.65:4500->1.1.1.200:4500, len=92, id=*string-removed-for-security-reasons* ike 0:TO_UCH: connection expiring due to phase1 down ike 0:TO_UCH: deleting ike 0:TO_UCH: schedule auto-negotiate ike 0:TO_UCH: reset NAT-T ike 0:TO_UCH: deleted ike 0:TO_UCH: set oper down ike 0: cache rebuild start ike 0:TO_UCH: sending DNS request for remote peer fake.fake.edu ike 0: cache rebuild done ike 0: DNS response received for remote gateway fake.fake.edu ike 0: DNS fake.fake.edu -> 1.1.1.200 ike 0:TO_UCH: 'fake.fake.edu' resolved to 1.1.1.200 ike 0:TO_UCH: set remote-gw 1.1.1.200 ike 0: cache rebuild start ike 0:TO_UCH: cached as static-ddns ike 0: cache rebuild done ike 0:TO_UCH: auto-negotiate connection ike 0:TO_UCH: created connection: *string-removed-for-security-reasons* 5 192.168.1.65->1.1.1.200:500. ike 0:TO_UCH:30: initiator: main mode is sending 1st message... ike 0:TO_UCH:30: cookie *string-removed-for-security-reasons* ike 0:TO_UCH:30: out *string-removed-for-security-reasons* ike 0:TO_UCH:30: sent IKE msg (ident_i1send): 192.168.1.65:500->1.1.1.200:500, len=312, id=*string-removed-for-security-reasons* ike 0: comes 1.1.1.200:500->192.168.1.65:500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=*string-removed-for-security-reasons* len=128 ike 0: in *string-removed-for-security-reasons* ike 0:TO_UCH:30: initiator: main mode get 1st response... ike 0:TO_UCH:30: VID FRAGMENTATION *string-removed-for-security-reasons* ike 0:TO_UCH:30: VID draft-ietf-ipsec-nat-t-ike-02\n *string-removed-for-security-reasons* ike 0:TO_UCH:30: selected NAT-T version: draft-ietf-ipsec-nat-t-ike-02\n ike 0:TO_UCH:30: negotiation result ike 0:TO_UCH:30: proposal id = 1: ike 0:TO_UCH:30: protocol id = ISAKMP: ike 0:TO_UCH:30: trans_id = KEY_IKE. ike 0:TO_UCH:30: encapsulation = IKE/none ike 0:TO_UCH:30: type=OAKLEY_ENCRYPT_ALG, val=AES_CBC, key-len=128 ike 0:TO_UCH:30: type=OAKLEY_HASH_ALG, val=SHA. ike 0:TO_UCH:30: type=AUTH_METHOD, val=RSA_SIG. ike 0:TO_UCH:30: type=OAKLEY_GROUP, val=MODP1024. ike 0:TO_UCH:30: ISAKMP SA lifetime=86400 ike 0:TO_UCH:30: out *string-removed-for-security-reasons* ike 0:TO_UCH:30: sent IKE msg (ident_i2send): 192.168.1.65:500->1.1.1.200:500, len=228, id=*string removed for security reasons*/*string removed for security reasons* ike 0: comes 1.1.1.200:500->192.168.1.65:500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=*string-removed-for-security-reasons* len=491 ike 0: in *string-removed-for-security-reasons* ike 0:TO_UCH:30: initiator: main mode get 2nd response... ike 0:TO_UCH:30: received NAT-D payload type 130 ike 0:TO_UCH:30: received NAT-D payload type 130 ike 0:TO_UCH:30: NAT detected: ME ike 0:TO_UCH:30: NAT-T float port 4500 ike 0:TO_UCH:30: ISAKMP SA *string-removed-for-security-reasons* key 16:*string-removed-for-security-reasons* ike 0:TO_UCH: sending 1 CERTREQ payload ike 0:TO_UCH:30: local cert, subject='fnet0001.fake.com', issuer='Fake Issuing Authority' ike 0:TO_UCH:30: local CA cert, subject='Fake Issuing Authority', issuer='Fake Root Authority' ike 0:TO_UCH:30: local CA cert, subject='Fake Root Authority', issuer='Fake Root Authority' ike 0:TO_UCH:30: add INITIAL-CONTACT ike 0:TO_UCH:30: enc *string-removed-for-security-reasons* ike 0:TO_UCH:30: sent IKE msg (ident_i3send): 192.168.1.65:4500->1.1.1.200:4500, len=4364, id=*string-removed-for-security-reasons* ike 0: comes 1.1.1.200:4500->192.168.1.65:4500,ifindex=5.... ike 0: IKEv1 exchange=Identity Protection id=*string-removed-for-security-reasons*/*string-removed-for-security-reasons* len=1292 ike 0: in *string-removed-for-security-reasons* ike 0:TO_UCH:30: initiator: main mode get 3rd response... ike 0:TO_UCH:30: dec *string-removed-for-security-reasons* ike 0:TO_UCH:30: VID DPD *string-removed-for-security-reasons* ike 0:TO_UCH:30: peer identifier IPV4_ADDR 1.1.1.200 ike 0:TO_UCH:30: Validating X.509 certificate ike 0:TO_UCH:30: peer cert, subject='Fake VPN Certificate', issuer='ôÇÒV' ike 0:TO_UCH:30: peer ID verified ike 0:TO_UCH:30: building fnbam peer candidate list ike 0:TO_UCH:30: FNBAM_GROUP_NAME candidate 'Fake Cert' ike 0:TO_UCH:30: certificate validation pending ike 0:TO_UCH:30: certificate validation complete ike 0:TO_UCH:30: certificate validation succeeded ike 0:TO_UCH:30: signature verification succeeded ike 0:TO_UCH:30: established IKE SA *string-removed-for-security-reasons*/*string-removed-for-security-reasons* ike 0:TO_UCH:30: initiating mode-cfg pull from peer ike 0:TO_UCH:30: mode-cfg request APPLICATION_VERSION ike 0:TO_UCH:30: mode-cfg request INTERNAL_IP4_ADDRESS ike 0:TO_UCH:30: mode-cfg request INTERNAL_IP4_NETMASK ike 0:TO_UCH:30: mode-cfg request UNITY_SPLIT_INCLUDE ike 0:TO_UCH:30: mode-cfg request UNITY_PFS ike 0:TO_UCH:30: enc *string-removed-for-security-reasons* ike 0:TO_UCH:30: out *string-removed-for-security-reasons* ike 0:TO_UCH:30: sent IKE msg (cfg_send): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string-removed-for-security-reasons*/*string-removed-for-security-reasons*:*string-removed-for-security-reasons* ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (CFG_RETRANS): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string removed for security reasons*/*string removed for security reasons*:*string-removed-for-security-reasons* ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (CFG_RETRANS): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string removed for security reasons*/*string removed for security reasons*:*string-removed-for-security-reasons* ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (CFG_RETRANS): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string removed for security reasons*/*string removed for security reasons*:*string-removed-for-security-reasons* ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (CFG_RETRANS): 192.168.1.65:4500->1.1.1.200:4500, len=140, id=*string removed for security reasons*/*string removed for security reasons*:dbcc1b38 ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH: NAT keep-alive 5 192.168.1.65->1.1.1.200:4500. ike 0:TO_UCH:30: out FF ike 0:TO_UCH:30: sent IKE msg (keepalive): 192.168.1.65:4500->1.1.1.200:4500, len=1, id=*string removed for security reasons*/*string removed for security reasons*/*string removed for security reasons*/*string remov/ ike 0:TO_UCH:30::64: cfg-mode negotiation failed due to retry timeout ike 0:TO_UCH:30: send IKE SA delete *string removed for security reasons*/*string removed for security reasons* ike 0:TO_UCH:30: enc *string removed for security reasons* ike 0:TO_UCH:30: out *string removed for security reasons* ike 0:TO_UCH:30: sent IKE msg (ISAKMP SA DELETE-NOTIFY): 192.168.1.65:4500->1.1.1.200:4500, len=92, id=*string removed for security reasons*/*string removed for security reasons*:7e8a0b29 ike 0:TO_UCH: connection expiring due to phase1 down
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hmm
ike 0:TO_UCH:30::64: cfg-mode negotiation failed due to retry timeout
I see mode cfg, are we using these in a same fashion as vpnclient? Can you show the fortigate phase1/2 cfg
e.g
show vpn ipsec phase1-interface < name>
show vpn ipsec phase2-interface < name>
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1688 | |
1087 | |
752 | |
446 | |
227 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.